What You Need to Know About the Timthumb Script Vulnerability

You may never have heard of TimThumb, but if you’re using WordPress, chances are you’re using this handy little script.

What it does is simple – it takes an image and automatically resizes and crops it for use on your site. If your theme (or a plugin) features thumbnail images, you have TimThumb to thank for that.

But there’s a dark side to this handy little script. A couple of years ago, and serious vulnerability was found that allowed malicious hackers to use the code to upload other, dangerous scripts to your website. Since millions of sites use some version of the TimThumb script, this hack was devastating. Thousands of WordPress websites were hacked.

The script itself has been updated to fix the vulnerability, but you can’t simply assume your theme or plugins have been fixed. Just today, Regina reported on a plugin that still contained the old, vulnerable code. The TimThumb developers fixed the code a year ago, yet this plugin developer (Featured Posts with Thumbnail) waited a year to update. How many sites were hacked in that time because they were unwittingly using vulnerable code?

WordPress® and its related trademarks are registered trademarks of Automattic, Inc. This site is not affiliatedwith or sponsored by Automattic, Inc., the WordPress Foundation or the WordPress® Open Source project.